Research Article Conditional Ciphertext-Policy Attribute-Based Encryption Scheme in Vehicular Cloud Computing

Transcription

1 Mobile Information Systems Volume 2016 Article ID pages Research Article Conditional Ciphertext-Policy Attribute-Based Encryption Scheme in Vehicular Cloud Computing Zhitao Guan 1 Jing Li 1 Zijian Zhang 2 and Liehuang Zhu 2 1 School of Control and Computer Engineering North China Electric Power University Beijing China 2 School of Computer Beijing Institute of Technology Beijing China Correspondence should be addressed to Zijian Zhang; zhangzijian@biteducn Received 24 June 2016; Revised 22 September 2016; Accepted 16 October 2016 Academic Editor: Hui Zhu Copyright 2016 Zhitao Guan et al This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited VCC (Vehicular Cloud Computing) is an emerging and promising paradigm due to its significance in traffic management and road safety However it is difficult to maintain both data security and system efficiency in Vehicular Cloud because the traffic and vehicular related data is large and complicated In this paper we propose a conditional ciphertext-policy attribute-based encryption (C-CP-ABE) scheme to solve this problem Comparing with CP-ABE this scheme enables data owner to add extra access trees and the corresponding conditions Experimental analysis shows that our system brings a trivial amount of storage overhead and a lower amount of computation compared with CP-ABE 1 Introduction VANETs (vehicular ad hoc networks) gained great attention in recent years which can not only improve road safety but also enhance traffic management [1 2] In VANET the vehicles V2V (Vehicle to Vehicle) and V2I (Vehicle to Infrastructure) generate an enormous amount of data In order to enhance the scalability of the VANETs some studies focus on VCC (Vehicular Cloud Computing) which combines cloud computing [3 4] and VANETs together [5 6] The illustration of VCC is shown in Figure 1 In VCC mass data from different VANET nodes are collected and stored in cloud servers efficiently Meanwhile VCC is faced with serious security and privacy challenges For instance the intruders can intrude the onboard infrastructure or the cloud server to get the sensitive data which may leak the privacy of the data owner (DO) or even endanger the lives of passengers To solve this problem we introduce the CP-ABE [7] which also realizes the fine-grained access control on the encrypted data However the vehicular situation and surroundings are quite complicated; a one-off encryption under one access tree may be no longer adequate for the needs In addition the attributes consistedinaccessstructuremaydenotemoreabundant information not just descriptive information about users identities According to these attributes features we extract them from the access structure and take them as conditions When inserting other access trees the conditions extracted from them can be used for identifying the corresponding tree Maincontributionsofthispapercanbesummarizedas follows: (1) In this paper we propose a conditional ciphertextpolicy attribute-based encryption (C-CP-ABE) scheme to allow users to add extra access trees based on the original ciphertext to their own ciphertexts (2) All the trees multiply by a parameter except only one tree multiplies by the message which extends theexpressioncomparedwithoriginalcp-abein[7] without bringing a heavy computation and storage overhead (3) We further give the security analysis and performance evaluation which prove that security and performance of our scheme are no weaker than those of traditional scheme The rest of this paper is organized as follows Section 2 introduces the related work In Section 3 some preliminaries are given In Section 4 the definition of the condition is given In Section 5 the proposed scheme is stated In Section 6

2 2 Mobile Information Systems Cloud server V2I Roadside service V2V Sensors WLAN Figure 1: The illustration of VCC (Vehicular Cloud Computing) security analysis is given In Section 7 the performance of our scheme is evaluated In Section 8 the paper is concluded 2 Related Work Cloud security has been a hot topic recently [8 9] It haddevelopedanewfieldintheapplicationandresearch of public key encryption since Shamir s proposed Identity Based Encryption in [10] Based on IBE Sahai and Waters proposed a new encryption scheme called Fuzzy IBE; they thought that the users attributes did not have to be precisely matched to the attributes that are specified by data owners The ciphertext could be decrypted provided the threshold value of attributes was achieved [11] Chase constructed a multiauthority attribute-based encryption to compensate for the weaknesses of single authority in [12] allowing each authoritytobeinchargeofadomainofattributessoonthey improved the privacy and security of their previous system by removing the central trusted authority which had usability in practice [13] In [14] Kapadia et al proposed a scheme to hide the policies and plaintexts from the servers Along with the increasing number of attributes the ciphertext size grew as well To solve this problem Herranz et al gave a method to keep the size constant In the situation of the attribute universe was certain [15] The access structure adopted in the schemes before was monotonic so Ostrovsky et al tried to construct an attribute-based encryption scheme which is nonmonotonic which was proven to be secure based on Decisional Bilinear Diffie-Hellman (DBDH) assumption [16] Compared with thepreviousworklewkoetalconstructedaschemethathad been proven to be fully secure rather than selectively secure in [17] In [7 18] KP-ABE and CP-ABE are proposed respectively In KP-ABE the ciphertext s encryption policy is also associated with a set of attributes but the attributes are organizedintoatreestructure(namedaccesstree)incp- ABE the data owner constructs the access tree using visitors identity information The user can decrypt the ciphertext only if attributes in his private key match the access tree Both became the important branches of attribute-based encryption In [19 20] Attrapadung et al adopted the nonmonotonic access structure to realize key-policy attributebased encryption; what is more the size of ciphertext was designed to be constant In [21 24] the ciphertext-policy attribute-based encryption (CP-ABE) scheme with constant size ciphertexts for threshold predicates is proposed CP-ABE is a promising research area that attracts more and more attention from lots of researchers Ibraimi et al constructed a mediated CP-ABE that provided attributes revocation in [25] Similar to KP-ABE the researches on multiauthority in CP-ABE are quite a lot Li et al proposed a multiauthority CP-ABE that allowed tracing the misbehaving users; although only the AND gates were supported it extended the application of CP-ABE to some extent [26] Furtherimprovementsweremadeinthisrespect[2728] In[29]withthecaseofthepersonalhealthrecord Li et al realized the security and scalable and fine-grained access control supporting the modification of access policies andrevocationofattributesliuetalassumedthateach attribute had different importance and constructed schemes that supported the access structure with different weights in CP-ABE [30] and KP-ABE [31] Liu et al added traceability to an existing expressive efficient and secure CP-ABE scheme without weakening its security and change in the length of

3 Mobile Information Systems 3 the ciphertext and decryption key does not cause too much overhead [32] Then they realized the White-Box Traceable CP-ABE in a large universe and the storage for traitor tracing is constant [33] In [34] Goyal et al allowed the access structure to be represented by an access tree with a bounded size access tree with threshold gates as its nodes All of these existing schemes enhance the function of the original CP- ABE [7] to adapt to different scenarios In this paper we will introduce a new scheme to raise the adaptability of original CP-ABE in VCC 3 Preliminaries 31 Bilinear Maps Let G 0 and G 1 be two cyclic multiplicative groups of prime order p and g be the generator of G 0 The bilinear map e e:g 0 G 0 G 1 foralla b Z p is as follows: (1) Bilinearity: u V G 1 e(u a V b )=e(uv) ab (2) Nondegeneracy: e(g g) =1 (3) Symmetry: e(g a g b ) = e(g g) ab =e(g b g a ) 32 Complexity Assumption The Discrete Logarithm (DL) problem is defined as follows Let G be a multiplicative cyclic group of prime order p and g be its generator DL problem is to compute x Z p such that y=g x giveny R G as input The DL hardness assumption holds if no probabilistic polynomial time algorithm can solve the DL problem 33 Access Structure Let P = {P 1 P 2 P n } be a set of participants; let U=2 {P 1P 2 P } n be the universal set If AS U\{ } then AS can be viewed as an access structure If A AS B U A BandB AS then AS is monotonic Then sets in AS are defined as authorized sets while the other sets are regarded as unauthorized sets In this paper we construct an access tree T to represent the access structure All the leaves represent the attributes while the interior nodes represent the threshold gates Before encrypting the data we randomly choose a secret s and generate a polynomial for each interior node from top to bottom to share this secret To retrieve the secret we define the Lagrange coefficient Δ is For i Z p and for x S x j Δ is(x) = j Sj=i i j (1) Only the authorized sets can succeed in decryption with polynomial interpolation 4 The Condition Definition 1 (condition primitives c) The condition primitives refer to the attributes in the access tree that are not closely related to the users identities Definition 2 (condition C) The condition is a set of condition primitives by which a specific access tree can be identified CID CT DO Weather PK CS TCA Condition evaluation Road conditions SK PK C i Public status information Figure 2: System model CID CT In VCC condition primitives can be the external objective factors such as the weather the traffic and the status information released by traffic control department Comparing with the attributes related to the user s identities we do not have to be concerned that the condition primitives may lead to user privacy disclosure In our proposed scheme the condition primitives will be extracted from each access tree to form the corresponding condition In other words a condition corresponds to a specific access tree Trust Center Authority (TCA) is in charge of evaluating the current conditions and sends them to data users Condition C i may consist of several components: C i :{c a c b c c } Each element is a condition primitive which corresponds to a specific value that is randomly generated when the system is set up Once generated all the values are fixed and different from each other In our scheme we consider the relation of these conditions that belong to the same access structure to be AND We multiply these corresponding values to denote the current condition With the support of the condition when a data owner encrypts the data more than one access tree can be added to the original ciphertext When a data user requests data decryption the current condition should be checked firstly to get the corresponding access tree and then data decryption can be continued 5 The Proposed System 51 System Model In our system four entities are included namely cloud servers (CS) data owners (DOs) data receivers (DRs) and Trust Center Authority (TCA) as shown in Figure 2 Generallycloudserversareassumedtobesemitrusted We employ them to be in charge of storing our encrypted data Data owners and data receivers are either vehicle or nonmobile users The former ones decide the access policies and the corresponding conditions outsourcing their storage to CS after encrypting The latter one submits the requests to CS and obtains their secret keys that are related to the attributes from TCA Only when their attributes satisfy the access policies of data can they correctly decrypt the DR

4 4 Mobile Information Systems R i R i R i Signature Conditions Figure 3: Structure of access tree in this paper ciphertext TCA takes responsibility for evaluating DRs and assigns a set of attributes to DRs In addition conditions will be managed determined and finally transmitted to DRs by TCA InthispaperweallowDOstoaddextraaccesstreesand conditions to their own ciphertexts Each access tree is related to one or several conditions Only when its corresponding condition is satisfied can it be valid 52 Security Model The following is a security game between adversary A and challenger C Init A first chooses a challenge access structure AS and sends it to C Setup C runs this algorithm and gives the public parameters PK to the adversary A Phase 1 A issues queries for repeated private keys corresponding to sets of attributes S 1 S q1 (q and q 1 are integers that are randomly chosen by A and 1<q 1 <q) (i) If any of the sets S 1 S q1 satisfies the access structure AS thenitisaborted (ii) Else C generates the corresponding secret keys to the sets for A Challenge A submits two equal length messages M 0 and M 1 to C C randomly flips a coin b and encrypts M b under the challenge access structure AS Then the generated ciphertext CT will be given to A Phase 2 Repeat Phase 1 and the sets are turned from S 1 S q1 to S q1 +1S q GuessTheadversaryA outputs a guess b of b The advantage of an adversary A in this game is defined as Adv(A) = Pr[b = b] 1/2 53 Our Construction Our construction is based on the ciphertext-policy attribute-based encryption in [7] In this section we will describe the details of each algorithm 531 Setup This setup algorithm will choose a bilinear group G 0 of prime order p with generator g Thenitwill choose several random exponents: αβkq Z p LetU denote the total number of attributes Let V denote the total number of conditions The algorithm randomly generates u 1 u 2 u V Z p for each condition We introduce hash functions H att HC andenoughh i for the access trees in ciphertext The public key and the master key are published as PK ={G 0 gh=g β e(gg) α g kα g u 1 g u 2 g u V } MK ={βg α kq} 532 Encryption As shown in Figure 3 the original access tree is rooted at node R i (i denotes the id of the access tree) and the new root node is R i At first DO calls the data encryption subroutine to encrypt the plaintext into ciphertexts under access policies expressed in access tree structure Compared with [7] we add a new root node and insert an extra node that denotes condition and its signature (i) Enc(PK M T i C i ) CIDCTTheencryptionsubroutine takes as inputs public key PK message M access structure T i symmetric encryption keys K 1 and K 2 and condition C i and then outputs ciphertext CT and its CID In this algorithm it requires several steps to get CT being generated properly A Encrypt Data DO receives message M condition C i and one access policy The encryption algorithm encrypts M under the access structure T i From root node R i to the subtree rooted at R i this encryption algorithm is similar to that Bethencourt et al described in [7] First the algorithm chooses a random number s i Z p for root node R i whichmeansq Ri (0) = s ithenit generates polynomial for each interior node and computes (let Y be the set of leaf nodes in T i ) C i = Me (g g) αs i C i =h s i C iy =g qiy(0) (3) C iy =H att (att (y)) q iy(0) y Yi (2)

5 Mobile Information Systems 5 R i k of n Distribution of the shares: Set i1 : { } Set i2 : { } Set i3 : { } Set in : { } Figure 4: Partition of the set (x i1 y i1 ) Set i1 : { } (x i2 y i2 ) Set i2 : { } (x i3 y i3 ) Set i3 : { } (x in y in ) Set in : { } (7) B Generate CIDSimultaneously Set P 1 =g s i/k P 2 = Enc K1 (P 1 ) Enc K2 (P 2 )=CID When DO would like to add an extra access structure T i+1 to his ciphertext he first searches for the ciphertext from CS according to the CID and reencrypts it rather than reencrypting its original plaintext What is different from before is that the part of the ciphertext associated with M is no longer involved in encryption Thus the computation burden is reduced Equally the algorithm selects a random number s i+1 Z p for the new access tree T i+1 and computes according to CID: (4) C i+1 = Dec K2 (CID) e (g g) αs i+1 =P 2 e (g g) αs i+1 (5) M is encrypted under only one of the access trees; we generally set C 1 = Me(g g) αs 1 We introduce a one-dimensional array A i [u] 1 u U for each access tree T i and assign each attribute a unique number from 1 to U According to the shares and sets we set A i [1] =H i (att 1 ) (x i1 y i1 ) (att 1 Set i1 ) A i [2] =H i (att 2 ) (x i1 y i1 ) (att 2 Set i1 ) A i [m] =H i (att m ) (x i2 y i2 ) (att m Set i2 ) A i [m+1] =H i (att m+1 ) (x i2 y i2 ) (att m+1 Set i2 ) A i [U] =H i (att U ) (x in y in ) (att U Set in ) D Record the Corresponding Condition Condition C i associated with this tree is {c a c b c c } In our system we consider that one condition term only relates to one access tree For each c C i thealgorithmcomputes (8) C Generate a Signature and Share It Obviously the threshold relation of R i is AND Suppose that the polynomial of R i is q ir =ax+s i (a is randomly chosen by the algorithm) ESP randomly chooses a number t i Z p andmakesthefollowing calculation: C ic =g u c/t i C=c a c b c c C (i w i ) H c ( C CID) (9) Set w i = t i q Sig i = g (2a+s i)/t i g (u a+u b +u c )/t i =g (2a+s i (u a +u b +u c ))/t i (6) Let Y i be the set of leaf nodes in T and C be the set of conditions Finally the complete ciphertext is as follows: CT =( T 1 C 1 = Me (g g) αs 1 C 1 =h s 1 A 1 C 1y Sig i canbeviewedasasignaturefromdoassumethe threshold relation of the node R i is k of n; we first share Sig i with (k n) secret sharing scheme in [35] and then generate n pairs of (x ij y ij ) 1 j n As we know the node R i holds n branches and each branch holds several attributes Thus all the attributes can be divided into n disjoint sets that are shown in Figure 4 We distribute (x ij y ij ) 1 j n to the sets that are shown as follows =g q1y(0) C 1y =H(att (y))q 1y(0) y Y1 C 1c =g u c/t 1 c C T 2 C 2 =P 2 e (g g) αs 2 C 2 =h s 2 A 2 C 2y =g q2y(0) C 2y =H(att (y)) q 2y(0) y Y2 C 2c =g u c/t 2 c C) (10)

6 6 Mobile Information Systems 533 Key Generation DR should legally register to the attribute authorities which will assign some attributes to this DR Before decryption the authorities will generate a corresponding SK for DR based on his attributes The algorithmisasfollows (i) KeyGen(PK MSK S) SK This algorithm will take a set of attributes S as input and output a key that identifies with that set First a random r Z p was chosen for the key and random r j Z p for each attribute j S Then it computes the key as SK =(D=g (α+r)/β D =g rq D j =g r H (j) rj D j =g rj j S) (11) 534 Decryption When there is a DR requirement to decrypt a ciphertext TCA will first evaluate the current condition and send the current condition term C 0 ={c a c b c c } to DR (a) Query Tree id(c 0 CID) iw i DR gets condition term from TCA according to the current conditions and CID that is requested by DR computing as follows: C=c a c b c c H c ( C CID) C (i w i ) C H c ( C CID) (i w i ) (12) This algorithm gets the corresponding access tree id i and a parameter w i (b) Compute Condition(i C 0 SKCT) Con i Foreachc j C 0 Set e( C ij D) = e (g u j/t i g rq ) = e (g g) rqu j/t i Con i = (e (g g) rqu a/t i e (g g) rqu b/t i e (g g) rqu c/t i ) =e(gg) rq u j/t i (13) (c) Retrieve Sig(S CT PK) Sig i or Foreachatt u Sit computes A i [u] H i (att u )=x i y i (14) For each computation the algorithm gets a pair of (x y) that is shown as follows Retrieve the shares: att 1 } att 2 } { } : Set i1 (x i1 y i1 ) att 3 } { } : Set i2 att { 4 { } : Set i3 (x i3 y i3 ) S att 5 } { } : Set in (x in y in ) { } { att u } (15) As we first share Sig i with (k n) secret sharing scheme DR performs the polynomial interpolation and retrieves Sig i only basedonnolessthank different pairs of (x y)otherwiseit outputs (d) Dec(S CT i w i Con i Sig i ) Mor Oncew i Sig i and Con i areretrieveddrcomputes e(sig i D) w i w Con i i =e(g (2a+s i (u a +u b +u c ))/t i g rq ) t i/q e(gg) (rq u j/t i )(t i /q) =e(gg) r(2a+s i ) (16) For the access tree rooted at node R i thealgorithmcan leverage the Lagrange interpolation and get A = e(g g) rs i Then it computes If i=1 Else B= C 1 A e(c 1 D) B= = Me (g g)αs 1 e (g g) rs 1 e (g g) s 1(a+r) C i A e(c i D) (17) αs Me (g g) 1 e (g g) rs 1 = e(h s 1 g (α+r)/β ) =M C B= i A e(c i D) = P αs 2e (g g) i e (g g) rs i e(h s i g (α+r)/β ) = P 2e (g g) αs i e (g g) rs i e (g g) s i(a+r) The algorithm decrypts P 2 with K 1 and recovers M by computing M= =P 2 P 1 = Dec K1 (P 2 ) =g s 1/k C 1 e(g kα g s 1/k ) Otherwise it outputs (18) (19) (20) αs Me (g g) 1 = e (g g) αs (21) 1

7 Mobile Information Systems 7 6 Security Analysis We make the traditional CP-ABE more expressive by allowing DOs to add extra access trees and conditions as they like To reducethecomputationcostandstorageoverheadwereplace M with CID within the reencryption And before decryption condition values are to be computed first The modification of the ciphertexts and the way of decryption may affect the security of the system Theorem 3 If hash function H is collision resistant our system is secure against chosen plaintext attack in random oracle model Proof Since ciphertexts are CID : CT data that is exposed to the adversary is T i C i =P m e (g g) αs 1 C i =h s i A i C 1i =g qiy(0) C iy =H(att (y))q iy(0) y Yi (22) where P 0 =M We then use a random function f to replace the hash function H Therefore the adversary A can obtain T i C i =P m e (g g) αs 1 C i =h s i A i C 1i =g q iy (0) j C iy =f(att (y j)) q iy j (0) yj Yi (23) where P 0 = M This scheme is named as the alternative scheme Finally we construct an experiment to simulate the chosen plaintext attack here (1) A calls the encryption oracle to query a cipher for plaintext y j in the probabilistic polynomial time; we run the alternative scheme and return f(att(y j )) q iy (0) j asthecipher to the adversary (2) A chooses two messages y 1 j and y2 j andwereturn f(att(y 1 j ))q iy j 1 (0) f(att(y 2 j ))q iy j 2 (0) to the adversary (3) A asks a challenge plaintext; we flip a coin to generate arandomnumbery b j b {01} and send f(att(yb j ))q y j b (0) to the adversary (4) A continues to query some plaintexts which is the same as the first step (5) Finally adversary A outputs b ;itwinsifb = b Otherwise it fails There are two ways to win the experiment for the adversary (1) s j can be recovered This contradicts DL problem (2) There must exist two y and y such that f(att(y)) q y(0) =f(att(y )) q y (0) Theprobabilityisnegligible as f is a random function Above all the adversary is negligible to win in the simulation experiment Furthermore since the hash function cannot be distinguished with a random function in the random oracle model the proposed system is secure to resist chosen plaintext attack The advantage of an adversary A is defined as Adv (A) = Pr [H Collision] + Pr [Recover s j ] (24) + Pr [D wins] We define negl(k) as a function that is negligible with a security parameter k Assume that the probability that H collision occurs is Pr[H Collision]SinceH is collision resistant Pr[H Collision] is negl 1 (k) D is used to distinguish f with arandomfunctionsincef is a pseudorandom function therefore Pr[D wins] is negl 2 (k) Since it is computationally infeasible to solve DL problem Pr[Recover s j ] is negl 3 (k)in sum Adv(A) negl 1 [k] + negl 2 [k] + negl 3 [k] We complete the proof 7 Performance Evaluation In this section we analyze our proposed scheme numerically mainly discussing the computation and storage overhead 71 Computation Overhead 711 Setup This algorithm is used to define a cyclic multiplicative group and to generate a PK and MK that will be used in encryption and key generation especially The number of random numbers is fixed which means that there is no relationship between computing time and number of attributes Time complexity of the algorithm is O(1) 712 Encrypt DO first encrypts M under an access tree and the computation cost is proportional to the number of attributes in this tree If the universal attributes set in T is I ( I denotes the total number of attributes in set I) for each element in I we need 2 exponentiation operations Hence total computation complexity is O( I ) Additionally in C- CP-ABE one ciphertext is allowed to be associated with more than one access tree; if there are m access trees for each tree computation cost is proportional to the number of attributes and the total computation complexity is mo( I ) 713 KeyGen This algorithm is used to generate SK for DR Computing cost is proportional to the number of attributes inskforeachattributethealgorithmrequires2pairing operations and 1 multiplication operation If the universal attributes set is S ( S is the total number of attributes in set S I ) then the time complexity of SK computation is O( S ) 714 Decrypt Computing and checking the conditions are the first step within decryption TCA evaluates the current conditions and sends them to DR The computation cost is fixed andthe computationcomplexity iso(1) Once the valid

8 8 Mobile Information Systems Average encryption time (s) The number of the access trees Average decryption time (s) The number of the access trees Traditional CP-ABE Our system Traditional CP-ABE Our system (a) Size of ciphertext (KB) (b) The number of the access trees Our system (c) Figure 5: (a) Comparison of the average encryption times between CPABE and our system when the number of access trees is different (b) Comparison of decryption times between CPABE and our system when the number of access trees is different (c) Changes in the ciphertext size of our system when the number of access trees is different tree is found the following steps are similar to CP-ABE; the overhead mainly occurs during computing each attribute of the tree Total cost is proportional to the number of attributes in the tree Thus the complexity is O( I ) 72 Storage Overhead To realize more expressive access control more storage cost has been inevitably introduced One ciphertext is associated with more than one access tree Only one tree s secret multiplies by M while others multiply by a parameter Along with the increasing number of access trees the size of ciphertext grows However it is of low storage overhead compared with the component C = Me(g g) αs in CT In addition we create a one-dimensional array for each access tree in CT whose length is equal to the number of thetree sleafnodesthetotalstoragecostwouldnotbea significant burden for CS 73 Experimental Results With the help of the CPABEtoolkit [36] we evaluate the performance of our system and compare it with CP-ABE [7] In order to strengthen the expression of access structure we make the ciphertext to be associated with more than one access tree Compared with only one access tree in the traditional CPABE introducing more trees may affect the time of encryption and decryption However we encrypt the message only once when it has more than one access tree; the other trees are multiplied with a parameter that includes decryption information We set the size of the message as 1 G and the number of attributes in each tree as 100 For the purposes of comparison all the access trees have the same number of leaves nodes Figure 5(a) shows the average time cost of [7] and our system within encryption Figure 5(b) shows the average time cost of [7] and our system within decryption From Figures 5(a) and 5(b) we can conclude that the average computation overheads in our system are lower than that in [7] When considering that there is only one ciphertext introducing extra access trees is bound to cause the storage overhead In traditional CP-ABE scheme more trees mean more ciphertexts while in our system one ciphertext is

9 Mobile Information Systems 9 associated with a few access trees In this case it is obvious that our system reduces the storage overhead since the other trees are multiplied by a parameter rather than a message Figure 5(c) shows that along with the increasing number of access trees the ciphertext size of our system grows Obviously there exists a rough linear rise for the ciphertext size with the number of access trees but even then it does not bring a high storage overhead when compared with the original ciphertext 8 Conclusion In this paper we propose an expressive and fine-grained access control scheme C-CP-ABE in Vehicle Cloud Computingmakingitpossiblethatoneciphertextcanbeabletobe associated with more than one access tree different access tree under different conditions DOs are allowed to add new access trees and new conditions to their ciphertexts flexibly And a parameter that is calculated by ESP using s replaces Mwhichcanreducethecomputationandstorageoverhead when adding other access trees The detailed security and performance analysis have been stated There are some failings in our system such as conditions not being flexible enough All of them will be our future work Competing Interests The authors declare that there is no conflict of interests regarding the publication of this paper Acknowledgments This work was jointly supported by the National Natural Science Foundation of China (nos and ) and the Fundamental Research Funds for the Central Universities (2016MS29) References [1] MWangHShanRLuRZhangXShenandFBai Real- Time path planning based on hybrid-vanet-enhanced transportation system IEEE Transactions on Vehicular Technology vol64no5pp [2] J Shao X Lin R Lu and C Zuo A threshold anonymous authentication protocol for VANETs IEEE Transactions on Vehicular Technologyvol65no3pp [3] Z Xia X Wang L Zhang Z Qin X Sun and K Ren A privacy-preserving and copy-deterrence content-based image retrieval scheme in cloud computing IEEE Transactions on Information Forensics and Security vol 11 no 11 pp [4] Z Fu X Wu C Guan X Sun and K Ren Toward efficient multi-keyword fuzzy search over encrypted outsourced data with accuracy improvement IEEE Transactions on Information Forensics and Securityvol11no12pp [5] M Whaiduzzaman M Sookhak A Gani and R Buyya A survey on vehicular cloud computing Journal of Network and Computer Applicationsvol40no1pp [6] E Lee E-K Lee M Gerla and S Y Oh Vehicular cloud networking: architecture and design principles IEEE Communications Magazinevol52no2pp [7]JBethencourtASahaiandBWaters Ciphertext-policy attribute-based encryption in Proceedings of the IEEE Symposium on Security and Privacy (SP 07) pp IEEE Berkeley Calif USA 2007 [8] Z Xia X Wang X Sun and Q Wang A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data IEEE Transactions on Parallel & Distributed Systemsvol 27no2pp [9]ZZhouYWangQMJWuC-NYangandXSun Effective and efficient global context verification for image copy detection IEEE Transactions on Information Forensics and Securityvol12no1pp [10] A Shamir Identity-based cryptosystems and signature schemes in Cryptology pp Springer Berlin Germany 1984 [11] A Sahai and B Waters Fuzzy identity-based encryption in Cryptology EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques Aarhus Denmark May Proceedingsvol3494ofLecture Notes in Computer Sciencepp Springer Berlin Germany 2005 [12] M Chase Multi-authority attribute based encryption in Proceedings of the Theory of Cryptography Theory of Cryptography Conference (TCC 07) pp AmsterdamThe Netherlands February 2007 [13] MChaseandSSMChow Improvingprivacyandsecurity in multi-authority attribute-based encryption in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 09) pp ACM Chicago Ill USA November 2009 [14] A Kapadia P P Tsang and S W Smith Attribute-based publishing with hidden credentials and hidden policies in Proceedings of the Network and Distributed System Security Symposium (NDSS 07) pp San Diego Calif USA February-March 2007 [15] J Herranz F Laguillaumie and C Ràfols Constant size ciphertexts in threshold attribute-based encryption in Public Key Cryptography PKC 2010PQNguyenandDPointcheval Edsvol6056ofLecture Notes in Computer Sciencepp19 34 Springer Berlin Germany 2010 [16] R Ostrovsky A Sahai and B Waters Attribute-based encryption with non-monotonic access structures in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 07) pp Alexandria Va USA November 2007 [17] A Lewko T Okamoto A Sahai et al Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption in Cryptology EUROCRYPT 2010: 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques French Riviera May 30 June Proceedings vol 6110 of Lecture Notes in Computer Science pp Springer Berlin Germany 2010 [18] V Goyal O Pandey A Sahai and B Waters Attributebased encryption for fine-grained access control of encrypted data in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 06) pp November 2006

10 10 Mobile Information Systems [19] N Attrapadung B Libert and E D Panafieu Expressive keypolicy attribute-based encryption with constant-size ciphertexts in Public Key Cryptography PKC 2011: 14th International Conference on Practice and Theory in Public Key Cryptography Taormina Italy March Proceedings vol 6571 of Lecture Notes in Computer Science pp Springer Berlin Germany 2011 [20] N Attrapadung J Herranz F Laguillaumie B Libert E de Panafieu and C Ràfols Attribute-based encryption schemes with constant-size ciphertexts Theoretical Computer Science vol 422 pp [21] K Emura A Miyaji A Nomura K Omote and M Soshi A ciphertext-policy attribute-based encryption scheme with constant ciphertext length in Information Security Practice and Experience FBaoHLiandGWangEdsvol5451of Lecture Notes in Computer Science pp Springer Berlin Germany 2009 [22] Y Zhang D Zheng X Chen et al Computationally efficient ciphertext-policy attribute-based encryption with constant-size ciphertexts in Provable Security: 8th International Conference ProvSec 2014 Hong Kong China October Proceedingsvol8782ofLecture Notes in Computer Sciencepp Springer Berlin Germany 2014 [23] C Chen Z Zhang and D Feng Efficient ciphertext policy attribute-based encryption with constant-size ciphertext and constant computation-cost in Provable SecurityXBoyen and X Chen Eds vol 6980 of Lecture Notes in Computer Science pp Springer Berlin Germany 2011 [24] AGeRZhangCChenetal Thresholdciphertextpolicy attribute-based encryption with constant size ciphertexts in Proceedings of the Australasian Conference on Information Security and Privacy pp WollongongAustraliaJuly 2012 [25]LIbraimiMPetkovicSNikovaPHartelandWJonker Mediated ciphertext-policy attribute-based encryption and its application in Information Security Applications HYYoum andmyungedsvol5932oflecture Notes in Computer Science pp Springer Berlin Germany 2009 [26] JLiQHuangXChenSSMChowDSWongandDXie Multi-authority ciphertext-policy attribute-based encryption with accountability in Proceedings of the ACM Symposium on Information Computer and Communications Security (ASI- ACCS 11) pp ACM Hong Kong March 2011 [27] Z Liu Z Cao Q Huang et al Fully secure multi-authority ciphertext-policy attribute-based encryption without random oracles in Computer Security ESORICS 2011: 16th European Symposium on Research in Computer Security Leuven Belgium September Proceedings vol 6879 of Lecture Notes in Computer Science pp Springer Berlin Germany 2011 [28]HWangZZhengLWuandDHe Newlarge-universe multi-authority ciphertext-policy ABE scheme and its application in cloud storage systems Journal of High Speed Networks vol 22 no 2 pp [29] M Li S Yu Y Zheng K Ren and W Lou Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption IEEE Transactions on Parallel & Distributed Systemsvol24no1pp [30]XLiuJMaJXiongQLiandJMa Ciphertext-policy weighted attribute based encryption for fine-grained access control in Proceedings of the 5th IEEE International Conference on Intelligent Networking and Collaborative Systems (INCoS 13) pp51 57September2013 [31] XLiuHZhuJMaJMaandSMa Key-PolicyWeighted Attribute based Encryption for fine-grained access control in Proceedings of the IEEE International Conference on Communications Workshops (ICC 14) pp Sydney Australia June 2014 [32] Z Liu Z Cao and D S Wong White-box traceable ciphertextpolicy attribute-based encryption supporting any monotone access structures IEEE Transactions on Information Forensics and Securityvol8no1pp [33] Z Liu Z Cao and D S Wong Traceable CP-ABE: how to trace decryption devices found in the wild IEEE Transactions on Information Forensics and Security vol10no1pp [34] V Goyal A Jain O Pandey and A Sahai Bounded ciphertext policy attribute based encryption in Automata Languages and Programming pp Springer 2008 [35] A Shamir How to share a secret Communications of the ACM vol22no11pp [36] J Bethencourt A Sahai and B Waters The cpabe toolkit

11 Journal of Industrial Engineering Multimedia The Scientific World Journal Applied Computational Intelligence and Soft Computing International Journal of Distributed Sensor Networks Fuzzy Systems Modelling & Simulation in Engineering Submit your manuscripts at Journal of Computer Networks and Communications Advances in Artificial Intelligence Hindawi Publishing Corporation International Journal of Biomedical Imaging Volume 2014 Artificial Neural Systems International Journal of Computer Engineering Computer Games Technology Software Engineering International Journal of Reconfigurable Computing Robotics Computational Intelligence and Neuroscience Human-Computer Interaction Journal of Journal of Electrical and Computer Engineering